The Information Commissioner’s Office (ICO) advises that asking for vaccine information is possible and lawful under data protection laws, provided certain conditions have been met. But making vaccinations a condition of entering the workplace raises other tricky and highly sensitive issues.
Although the government is currently considering whether to make vaccinations mandatory in certain healthcare settings there is currently no legal obligation or guidance which requires employers to ensure that their workforce have been vaccinated before attending the workplace.
Recent ACAS guidance on getting the vaccine for work confirms this.
Some employees may worry about working alongside staff who haven’t been vaccinated. This could be a health and safety issue for them, and the vaccine should be considered as part of an employer’s health and safety risk assessment.
Employers who ignore their health and safety obligations risk claims such as for personal injury. They could also face unfair dismissal and whistleblowing claims from employees who refuse to come into work because they reasonably believe they are in serious and imminent danger.
What HR is saying about the vaccine:
But making vaccinations compulsory will give rise to discrimination risk and may contravene an individual’s human right to privacy. There are a number of reasons why employees may be unable or unwilling to have the vaccine, including religion and pregnancy.
Indirect discrimination is not unlawful if it can be objectively justified. This requires the employer to show that there were no other options but to do what it did. There is no margin of discretion unlike in unfair dismissal claims – where there is consideration of what a reasonable employer would have done. In any event, the individual’s circumstances would need to be taken into account, including their role, workplace setting and what other steps could be taken to provide sufficient protection.
There may be some cases where seeking to exclude employees who refuse to have the vaccination will be considered proportionate but this will be rare. And save for those rare exceptions, any dismissal for refusing to take the vaccine will give rise to unfair dismissal claims.
Given the privacy and discrimination issues, it is unlikely that employers will want to take the compulsory vaccinations approach. Instead, they may wish to encourage employees to get vaccinated, and for those who opt not to have it, require regular mandatory testing to limit risks to other staff.
Testing also raises data protection issues, and there is useful government guidance for employers on coronavirus testing which sets out the legal obligations and best practice for employers to follow.
Whether to ask for evidence of vaccination also raises data protection issues which should be included in an employer’s data protection impact assessment.
There are other issues too: what should an employer do if an employee who says they have been vaccinated refuses to supply confirmatory documentation – or if an employee refuses to disclose their vaccination status?
Employers should start putting in place processes to cover staff and workplace issues arising out of the vaccine rollout and implementing any testing programme. This could include a vaccination policy which encourages staff to be vaccinated when possible.
Any plans should be communicated to staff or unions, and concerns from staff should be managed carefully. If those plans involve processing personal data, employers should assess the data protection issues and undertake a data protection impact assessment.
It is safe to say though that as vaccines are not 100% effective, and because it is not yet clear whether vaccinated individuals can still transmit the virus, even with a substantial vaccine take up, COVID-secure practices such as wearing face masks and social distancing will need to remain in place for some time.
Asking about vaccinations: The data protection considerations:
- Make an assessment of why the data is being captured
- Decide that it is necessary to capture that data
- Ensure all lawful bases under data protection laws for collecting health data have been established
- Be transparent with staff about why the data is being collected and what it will be used for]
Nick Elwell-Sutton is partner at Clyde & Co